Technology managers at the Center for American Progress sought an IT tool that would bring together the logs of all activity so that information could be effectively mined.

As a high-profile, Washington-based think tank, the Center for American Progress takes strong positions on hot-button topics, such as health care reform, the Middle East and the state of the economy. With John Podesta, former chief of staff to former President Bill Clinton as its president and CEO, CAP remains firmly planted on the left side of the political equation.

Since the business of Washington is about taking sides and then taking aim, it’s not surprising that CAP is a frequent target. But attacks on this organization extend beyond the standard “hit and run” e-mails sent by the political opposition. At its headquarters, CAP routinely hosts VIPs such as Vice President Joe Biden, former British Prime Minister Tony Blair, and countless U.S. representatives and senators.

CAP’s IT enterprise manages all communications and data-sharing functions needed to support this level of activity. Consequently, there are always attempts to penetrate its network—often by organizations that are based outside the United States.

As many as 70,000 log-ins a day are attempted by hacker bots trying to guess the organization’s passwords. And then there are the constant “spear phishing” attacks, in which hackers compromise desktop and user resources by penetrating the network and pretending to conduct normal user activity, while actually seeking to swipe any useful information they can get.

“It’s quite common for one of our employees to get e-mails that look as if they came from someone they’ve been regularly corresponding with,” says Nick Levay, manager of information security and operations for CAP. “But they are actually from attackers, who then get inside our network and infect employees’ [computers] with malware. They also infect those with whom the employee is in constant contact. Then they burrow into the network and get whatever information they can. They’re patient, and they’re good.”

Fighting Back

In 2009, enterprise technology managers for the Center for American Progress started fighting back. They sought a new IT tool that would bring together the logs of all activity on the enterprise so the information could be more effectively mined.

Much of this data was spread throughout separate locations, depending on whether it was based on a Windows, Cisco, Unix, Linux or other system. That meant the IT staffers couldn’t make enterprisewide inquiries of log activity, which drastically slowed down the process of investigating attacks.

The CAP infrastructure includes 12 physical servers and up to 70 virtual ones at a co-location center, as well as two dozen in-house servers. But the IT department has a team of just 14 people for about 300 users.

“If we had an IP address that was the source of an attack, we had to hunt throughout the entire enterprise to track its activity,” Levay recalls. “It would take three or four hours, and the process really crawled. And it’s not just about tracking the attack pattern; it’s about thinking how to minimize its impact and avoid it in the future.”

To eliminate the time drag, CAP launched a dashboard-style, network-monitoring solution package from LogRhythm that essentially bundled all log data and search functions in one place. It helps CAP automate the collection, correlation and analysis of event data throughout the enterprise, completing tasks that previously took hours—or even days—in minutes or seconds.

“We can now distinguish the very subtle differences between a hacker’s patterns and those of a regular user,” Levay says, adding that this detection is highly adaptive for multiple vendors’ systems. “If an employee has an open connection for hours, we expect him or her to dump a lot of data. But a hacker may not do that. That’s what this solution detects.”

CAP is also saving more on operational costs because it’s able to find previously unnoticed problems within the network. For example, the think tank constantly advocates “green” initiatives on a global level, but the LogRhythm solution found that many CAP staffers didn’t have a double-sided print option set as their default setting. Once this was uncovered, staffers’ default settings were corrected, saving money and helping the organization practice what it preaches.

“At the same time, we found out that many employees were printing documents in full color that could have been black and white, so we set black and white as their default,” Levay adds. “The color cartridges and toners are more expensive, so this change will save us a good amount of money in the long run.”